We are reworking the site; see this thread for more info. |
|
|
|
I've been working on a project where POW secures the network, but money is also given out by POS in proportion to coin days destroyed. This effectively lowers the power consumption of the network since POW rewards are only a fraction of the coin's market cap. For example 25% could be given out to miners and 75% to coin holders by gamified proof of stake. I'm not sure if this could ever be bitcoin compatible since it relies on exponential inflation. The whitepaper is here for anyone who's interested. http://empirecoin.org/EmpirecoinWhitepaper.pdf |
|
|
|
@ OP, you may lock this thread since you have a replica of it at the service section where you are having a better response.
Whoops, I was not aware of the lock & move thread options. Locking... |
|
|
|
To get a better idea of this project, please join one of our free daily mock election games which will be running until the US election. Bitcointalk - Mock Election 2016Wallet screenshot |
|
|
|
We have a series of daily virtual prediction market games running right now where you can vote for Trump, Clinton or Gary Johnson. It is free to join and at least $5 in BTC is paid out to winners of each game. Visit http://empirecoin.org or see our Mock Election 2016 thread if you are interested. |
|
|
|
Looks interesting Joey.Rich  Will look into joining into it soon!  We need more testers, would love to have you in the game! Right now, we have a series of election-themed games running. Each game lasts a day or less and simulates the 2016 US Presidential election, with elections being held in each of the 50 states every 20 minutes. See EmpireCoin: Mock Election 2016 thread to start playing. I'm unsure if this has already been mentioned, but there is a small SQL error that I have found in api.php on your server.
When calling the API through a URL similar to /api/1, the SELECT query throws the error 'Unknown column 'num_voting_options' in 'field list'.'. After looking in your sql folder, I believe the problem is that you are trying to query the table games to get the num_voting_options and max_voting_fraction columns, when these columns are instead located in the event_types table.
In addition, when querying the games table in the same query, you seem to deal with the game_id as a string by encasing it in apostrophes. Considering that in schema_initial.sql game_id is initialized as an int(11), this isn't needed and could cause problems down the line. If you're worried about SQL injection being used when not encasing the game_id you could use the ctype_digit(); function in PHP to be sure. If not, I would really suggest using PDO->prepare as NLNico suggested; it is a lot safer in general than simply trying to escape the strings before querying.
API functionality is not currently functional, since making some major changes recently. I'll try to get it working soon though. Will also be switching to prepared statements. |
|
|
|
Glad you like it. Mock Election 2016, Day 2 is now online. Please join here: http://empirecoin.org/mock-election-2016-day-2/4 players have joined so far, we need 8 more to start the game. This game starts when 12 join, but of course any number can join even after the game is started. I have switched target block time from 60 seconds down to 20 seconds. That means that this time, the game should run for approximately 8 hrs and 20 minutes. I have also switched the voting cap from 50% down to 45% for today's game, to give the 3rd position candidate some chance to win. Players can buy additional in-game coins by clicking "Buy more empirecoins" once you are logged in. BTC paid there go into the game escrow & you receive equivalent empirecoins based on the current EMP/BTC exchange rate for the game. This exchange rate is pegged to BTC based on the current BTC in escrow vs empirecoins in existence for the game, rather than being determined by market rates. Setting an auto voting strategy is recommended to make sure that you vote in each round:  |
|
|
|
Donald Trump wins the first game! See the payout transaction here: https://blockchain.info/tx/9c1c1835b37ec11e1c7d7bf3b61d058eea0b1f9feddf441554d18719a0be6fe9 So, the winning president is random then? How is it decided?
The candidate with the highest number of electoral votes wins. Mock elections are held in each of the 50 states, with one candidate winning each state and receiving all electoral votes from that state. Determining the winner within each state is a little bit more complex. Currently the voting cap is 50% for each state election. This means that 50% is the max any candidate can receive; anyone with greater than 50% of votes is eliminated, allowing the candidate with 2nd most votes to win that state. Top 5 peformers in this game:PNDGoo, 37.986k empirecoins TheGAMER, 16.746k empirecoins joey.rich, 13.427k empirecoins xJuturna, 6,133 empirecoins saidnursi, 2,717 empirecoins Here are the results by state. 21 states had no winner since no votes were cast. Donald Trump
Alabama
Colorado
Florida
Illinois
Iowa
Kansas
Louisiana
Missouri
Montana
Nebraska
New Hampshire
New Mexico
Vermont
Virginia
Washington
West Virginia
| Hillary Clinton
Alaska
Arizona
Arkansas
California
Georgia
New York
South Dakota
Tennessee
| Gary Johnson
Connecticut
Delaware
|
|
|
|
|
TBH your whole code looks like a lot of security risks. I thought about making a proper list of vulnerabilities, but this would require a lot of time from me (since your site does look complex) and the bounties look a bit "uncertain". So I am not sure if I want to put like a few days of time into it TBH. Just in general you REALLY should adjust this: * NEVER ever use the "quote()" shit for protection of SQL injection. Use prepared statements (lookup PDO->prepare()) instead. * Use CSRF protection probably just ALWAYS whenever there is user input. I am pretty sure I can steal the escrow coins by sending the escrow an URL that loads an iframe/post-form/etc to send the coins to me. This requires user interaction (escrow has to open an URL), but can be pretty easy/doable. * IMO you shouldn't strip_tags before putting it in the DB. Just always sanitize the output to the user. A template system can help with this, some will HTML encode every variable by default. * Best to make most scripts NOT public for visitors to access. Basically you should only have .htaccess + bootstrapper (index.php) in your public_html together with CSS/JS/images. All PHP should be outside of it and just loaded by index. In your situation, you could at least hide the cron/classes/includes/libs/scripts. For example I can get your RPC password here: http://empirecoin.org/scripts/getinfo.php That is probably some test file which you forgot to delete (and I assume the bitcoind is not running at the moment), but could be serious problem. * Just in general your code would be much easier to read (= easier to see bugs) if it's divided into MVC structure. * Functions like rand() and mt_rand() are not cryptographically secure. It is possible to hack accounts on your site by using the "reset password" function and cracking mt_rand. Search for random_bytes() - I believe that is cryptographically secure in PHP lately. All of those things, are generally taken care of by a PHP framework. That is why using a PHP framework is pretty great. I really like Laravel lately. But converting your site to a PHP framework might take serious time. On the positive side: it seems to have a lot of features and I can always appreciate open-source work. Another SQL Injection is detected in "get_session.php" line 15.
$session_key is not escaped.
I am pretty sure session_id() verifies any session ID from cookie etc? I don't think you can get values with " with that. OP should still use prepared statements though. session_id() should not be at risk of SQL injection since it is server side. I have just escaped it anyways though. I have also switched from mt_rand to openssl_random_pseudo_bytes. Thanks to NLNico for the tip, I had not realized that mt_rand was insecure. Also thanks to NLNico for pointing out the flaw in getinfo.php, which is now resolved. Based on my research, PDO->quote is secure. There are only a couple of user-entered fields in the app and they are now being handled correctly to avoid CSRF. NLNico, please PM me your BTC address to receive 0.1 BTC. |
|
|
|
Would it not be a lot cheaper and maybe more safe if you try to hire a professional service for this?
I could be wrong but i think it's really the best and even quicker option since they also offer to fix the issues!
Because what if someone really find a big hole and he will keep it and not tell you, and then use it once there is a lot cash to steal?
Since this is already open source, I don't see any additional risk from asking people here to check for flaws. If vulnerabilities are found, multiple people should find it; therefore each person has incentive to be the first to report & claim the bounty. |
|
|
|
...I will implement salt & server side hashing soon. ...
I highly recommend you to use secure connection (HTTPS) on your website in case you're planning to implement server side hashing. Because password will be sent in plain text, and can easily be detected by network protocol analyzers (e.g. wireshark). I will still keep the client side hashing but then hash & salt on server side. Wireshark won't detect the passwords if it is converted to hashes after the onsubmit event.Though there is no need to use HTTPS for that specific purpose,you can use it for 100 other reasons anyway.On a side note,do implement DDos preventing mechanisms.What's the point of making your website 100% accurate when it just won't take the load of the bots ? Trust me,Ddos is one of the most often and primary attacks to take down your site!
As we saw in the Heartbleed bug, encrypting with HTTPS is not necessarily secure; better to hash passwords on the client side first. My webhost does provide some DDOS protection, I'm not sure how much though. To handle DOS, this will soon be a P2P web app with many nodes. |
|
|
|
15YnqdubKqeq3v7RVaV38Qk7FrvLpvZ5vG
Sended a PM also.
I have sent the 0.1 BTC, nice job finding this. |
|
|
|
Well good to know then. There's still an injection in the link I found. My offer still stands if you want to know the link. You also might want to salt or increase the security of the passwords you store, unsalted SHA-256 sent over an unencrypted request is not very secure.
How about I fix that error for you @OP ? I can give you a solution to reject all the external access with the most "easiest" query out there ,like the one mentioned by KInzee.My pen testing tools are on the work!I should report you if I come across any more vulnerabilities! EDIT : Does ddos attacks counts ? Thanks for the suggestion, I will implement salt & server side hashing soon. You are welcome to submit a PR if you'd like but I'm not willing to put a bounty for that change. DDOS is not eligible as it is not a vulnerability within the empirecoin-web source code. |
|
|
|
Looks like another hole different from mine. But yes, all you need is time on your hand to drop all the info from his database down to the last password. If I had more time I'd definitely go through the injection and keep sending SQL requests till I find something that'll genuinely scare him, but I figured only finding the link would be enough for him. I don't think he understands the danger of an SQL injection. Yes, he doesn't understand that. I can send commands to the SQL, but I can't get data back. I've been writing web applications for a long time and certainly understand SQL injections. However, it does appear that I neglected to correctly escape user-entered BTC addresses in this one case (ie the attack vector pointed out by BilalHIMITE). I have just fixed the issue: https://github.com/TeamEmpireCoin/empirecoin-web/commit/8cdd84c68e5cba5f6ad84489d917943bfc81a07cBilalHIMITE, please post or PM me your bitcoin address to receive the 0.1 BTC bounty. |
|
|
|
|
Hi KingZee,
I had a problem where my VPS disk was full around the time you posted this, so I suspect that's what could have caused this error message. If it really is a SQL injection and you can demo how to replicate, I can send you 0.2 BTC.
|
|
|
|
 Poll: Theme & functionality for next gameEmpireCoin is a new crypto gaming platform, compatible with the Bitcoin blockchain, where players can win coins by making inflation subsidized bets. Players cast votes by transferring coins between their own addresses. For more information, please visit EmpireCoin.org or read the following threads: EmpireCoin pre-announcementMock Election 2016Free game: Red vs BlueEmpireCoin bug bountiesThis poll has been set up to get input from the community on the next steps for this program. Please vote for one of the options in this poll and/or post a comment justifying your answer. |
|
|
|
|
Show Posts
